Aye Captn's
Im trying to make my openbsd 3.3 i386 router work 100% correctly as
router and firewall between the evil oceans of the internet and my local
network.
My vr0 cards i connected to the internet and the xl0 i connected to all
the clients behind the OpenBSD router/firewall.
#normalisering af packer
scrub in on $ext_if all
#rdr to port 4661
rdr on $ext_if proto tcp from any to any port 4661 -> 10.0.1.3 port 4661
#get the machines on the local network online
nat on $ext_if inet from $lan_net to any -> ($ext_if)
#default deny on external nic
block in log on $ext_if all
block out log on $ext_if all
#free trafik on l0
pass quick on lo0 all
#free traffic on the internal nic.
pass in on $int_if all
pass out on $int_if all
#Connections that we do accept
pass in log on $ext_if proto tcp from any to any port {113,4661} flags
S/SA keep state
pass in log on $ext_if proto tcp from any to $ext_if port {21,22,80}
flags S/SSA keep state
#outgoing connections that we accept
pass out quick log on $ext_if proto tcp from $int_if to any port
{110,80} flags S/SSA keep state
If i set these rules, everything i try to sent out from the internal
network is just going trough, i can use whatever port i want and still
get online. How do i filter traffic so that the internal network only
can make those connections i want?
Also i can get fx irssi to run from the openBSD box, if i have set
those rules, even if i set "pass out quick log on $ext_if all" irssi
wont get connected. I have to open for all incoming traffic to get it
online. Even lynx wont connect to anything, what point of packetfilter
am i missing. (i have read the FAQ numerus times.)
Best Regards.
Lasse Stig Thomsen
